It seems that IE has a serious design flaw in its Cascading Style Sheets imports mechanism. This flaw allows an attacker to bypass cross domain restrictions and fetch snippets of code from another site.

To import a CSS file to a page one can use the @import directive in the STYLE section of a web page or use the handy IE only method "addImport". The imported style sheets can later be read by using the "cssText" property in the "document.styleSheets" collection.

IE's lenient CSS parser allows one page to do an import on a URL that is not a valid CSS file. Afterwards the "cssText" property can be read with pieces of code from that URL that were mis-parsed as CSS rules. Since CSS rules have a certain structure the amount of code that can be gleaned from a remote site depend a lot on the target site's design and code. The target site must have some combination of curly braces, colons and semi colons so pieces of code can be seen in the cssText property. Since most modern sites have javascript code and CSS rules embedded on the pages themselves, it's almost always possible to retrieve at least some code.

An attacker can improve his luck by injecting these characters into the target site through parameters in the URL. Many sites allow these characters to come through unchanged since they consider them harmless. Through trial and error, an attacker may be able to retrieve large portions of the target site.

Using this vulnerability I was able to exploit Google Desktop to search and retrieve private user information, such as passwords and credit card numbers, from a local hard drive. Google Desktop's interface is actually a web server that listens on port 4664 on the localhost address. To access it one must have a valid key that's randomly generated. A link to "Desktop" appears on all of Google's websites once a user installs it. This link is injected through a browser plugin.

By CSS importing the Google News website with a query that inject the curly braces I was able to retrieve the "Desktop" link with the valid key. Then it's simply a matter of doing another CSS import on the URL of the local webserver with the valid key plus a query for what I needs to be found on the local hard drive. By injecting a "{" character into this query I was able to retrieve the all the search results from the query.

This vulnerability extends way beyond Google Desktop. I was able to exploit at least one other webmail service using this technique. It's very much like classic XSS attacks only here the target site doesn't have to be vulnerable to script injection.

Firefox doesn't seem to be affected since it enforces cross domain restrictions on CSS imports. Opera doesn't support the "styleSheets" collection so it's not vulnerable as well. I tested this vulnerability on a fully patched IE6 browser and earlier versions are possibly vulnerable as well.